Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use case to detect malicious activity in Splunk indexer which is in a weak network

Aleena
Explorer
‎08-11-2020 06:43 AM

Hi All,

kindly give your thoughts on below questions.

1.How to create high level use case to detect malicious activity in Splunk indexer which is in a weak network ? what are the log source can be considered?

2.How to create high level use case to detect malicious activity in  base OS of Splunk?what are the log source can be considered?

Thankyou

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎08-13-2020 12:30 PM

Hello @Aleena,

Yes. You'd have to install the application on your search head. Then modify the macros used in the SPLs to match with the Index, where you are storing the sysmon logs and let Splunk do the rest 🙂

Alternatively, you can always install the app on your test environment or local system and copy paste the searches from there, which sounds a bit tedious to me, frankly.

I highly recommend you to look into ES Content Update app as well. The use cases on different stages of Cybersecurity Kill chain, described in such an easy way will really intrigue you. They provide the use cases along with the SPL for them, as well as explain the attacks in the most generic manner under section "Explain it like I'm 5" in every alert.

Hope this helps. Let me know if you need more help with it,

Thanks!

S

Please mark it as answer if it helps you

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎08-12-2020 02:55 PM

I'd consider ingesting System monitoring (sysmon) logs, and then make use cases out of them. There's a great Splunk app ES Content Updates, which can give you various use cases along with SPL, based on different stages of kill chain. You can look into MITRE framework app, which will give you use cases, along with SPL regarding modern attacks.

Sysmon logs will go a long way for you to get deep insights into your Indexer. If your organization has an EDR, like Crowdstrike or Carbon black, I'd recommend installating that on your Indexer server. Also having an Antivirus solution on the server always helps.

Hope this helps.

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Reply
Solved! Jump to solution

Aleena
Explorer
‎08-12-2020 06:55 PM

Hi @shivanshu1593 

Thanks for your reply. yes i agree, MITRE framework is a very good solution for Detection of attacks.

For MITRE framework app, do i need to install the app to get the usecase along with SPL? 

Thanks in advance😊

0 Karma
Reply
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎08-13-2020 12:30 PM

Hello @Aleena,

Yes. You'd have to install the application on your search head. Then modify the macros used in the SPLs to match with the Index, where you are storing the sysmon logs and let Splunk do the rest 🙂

Alternatively, you can always install the app on your test environment or local system and copy paste the searches from there, which sounds a bit tedious to me, frankly.

I highly recommend you to look into ES Content Update app as well. The use cases on different stages of Cybersecurity Kill chain, described in such an easy way will really intrigue you. They provide the use cases along with the SPL for them, as well as explain the attacks in the most generic manner under section "Explain it like I'm 5" in every alert.

Hope this helps. Let me know if you need more help with it,

Thanks!

S

Please mark it as answer if it helps you

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Reply
Solved! Jump to solution

Aleena
Explorer
‎08-13-2020 07:07 PM

Hi @shivanshu1593 

Really appreciate your help. was impressed by your answers. sure will try to install ES content app. Thanks a lot. Have a nice day.

Regards,

Nafila Afrin

0 Karma
Reply
Solved! Jump to solution

Aleena
Explorer
‎08-12-2020 06:32 PM

Thankyou very much. i really appreciate your help:)👍

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...